AS200887 VELCOM-IT Velcom Srl

AS overview

Test target: 2a13:1580::1 · static prefix probe · address space: PA · prefixes announced: 1

prefix(es): 2a13:1580::/29

Targets & per-vantage-point probe results (1 target(s) across 3 vantage point(s))

Source codes (hover any badge for full description): CUR=curated · NS/SOA/MX=DNS records · SPF=SPF TXT · DRV=holder-derived (www, ns1, mail, gw, …) · ATL=RIPE Atlas · PDB=PeeringDB · WHOIS=RIPE whois · RDAP=RIPE RDAP · HIT=IPv6 Hitlist · RTR=in-prefix path hop (router) · PRB=static prefix probe · SYN=synthetic prefix::1 fallback

Target IP / hostname	Source	NL host (go6lab)					ITA host (Karsolink)					SLO host (6connect)
Target IP / hostname	Source	ping	1500B	:80	:443	reached	ping	1500B	:80	:443	reached	ping	1500B	:80	:443	reached
`2a13:1580::1`	prb	✓	✓	open	open	✓	✓	✓	open	open	✓	✓	✓	open	open	✓

RPKI & ASPA

1 of 1 prefix(es) covered by a valid ROA.

Prefix	RPKI state	Reason	Covering VRP(s)
`2a13:1580::/29`	✓ valid	matched VRP (correct origin, length within maxLength)	AS200887 /29 maxLen 29 (ripe)

Random-IP probe (yarrp) into the AS' prefixes

We probed 15 arbitrary IPv6 address(es) inside AS200887's announced prefix(es). No router inside the prefix responded. The deepest visible hop was fd13:1580::2 at hop 12 - that router does not answer ICMPv6 Echo. This is not in AS200887's announced prefix; operationally it's the AS-edge / peering interface (often on an IXP peering address or an upstream's /127 link). The traceroute boundary is the AS edge: ICMPv6 Time-Exceeded responses from anything inside this AS are filtered.

ICMPv6 Type 2 (Packet Too Big) acceptance - active test

Vantage points disagree about Type 2 acceptance - transit ASes on one path may be filtering Type 2 even though the destination's stack accepts it on another path:

NL host (go6lab): Type 2 honored. Forged PTB accepted; next response shrunk. (ICMPv6 Echo + forged PTB)
ITA host (Karsolink): Type 2 NOT honored. Forged PTB had no effect (filtered en route or stack ignored it). (active test)
SLO host (6connect): Type 2 honored. Forged PTB accepted; next response shrunk. (ICMPv6 Echo + forged PTB)

Why they disagree - different probe methods: These vantages picked different probe methods, so their verdicts are not directly comparable. The active test tries methods in order (icmp6-echo → dns-tcp → tls → http) and stops at the first that produces a definitive verdict; if the chosen method differs, the underlying evidence differs too. Most often this is because the path PMTU on one vantage is below 1500 B, so the natural Echo Reply is already fragmented and the icmp6-echo method falls through to a TCP-based one. This is largely a measurement artifact, not a destination-behaviour difference.

Failure detail — what to grep in your logs

vantage	our source	your target	method	result	tested (UTC)
go6lab	`2a00:8642:42::75`	`2a13:1580::1`	`icmp6-echo`	honored	2026-05-30T12:48:50Z
karsolink	`2a12:d8c0:105a:9001::a154`	`2a13:1580::1`		not_honored	2026-05-30T12:59:59Z
odin	`2607:fae0:a000::42`	`2a13:1580::1`	`icmp6-echo`	honored	2026-05-30T12:48:29Z

Attempt log (go6lab):

icmp6-echo → honored (size_before=1460, size_after=None)
dns-tcp → no_tcp: connect failed: timed out
tls → inconclusive (size_before=7, size_after=None): largest TLS segment 7B too small to detect shrink
http → not_honored (size_before=1504, size_after=1504)

Attempt log (karsolink):

icmp6-echo → no_echo: no Echo Reply to 1300-byte probe
dns-tcp → no_tcp: connect failed: [Errno 111] Connection refused
tls → inconclusive (size_before=7, size_after=None): largest TLS segment 7B too small to detect shrink
http → not_honored (size_before=1504, size_after=1504)

Attempt log (odin):

icmp6-echo → honored (size_before=1460, size_after=None)
dns-tcp → no_tcp: connect failed: [Errno 111] Connection refused
tls → inconclusive (size_before=7, size_after=None): largest TLS segment 7B too small to detect shrink
http → not_honored (size_before=1504, size_after=1504)

To match the corresponding ICMPv6 packet on your side (host firewall, AS edge, or transit tap), look for our PTBs around the timestamps above:

sudo tcpdump -i any -n -e 'icmp6 and ip6[40] = 2 and (src host 2607:fae0:a000::42 or src host 2a00:8642:42::75 or src host 2a12:d8c0:105a:9001::a154)'

If you see our PTBs arriving but the destination's TCP/Echo flow does not shrink, the drop is in the destination kernel (cause 3 below). If you don't see them at all, drop is upstream of you (cause 2). If you only see them from one of our two source IPs, the drop is path-asymmetric — one transit on the asymmetric route is filtering, the other is not.

What does "Type 2 not honored" actually mean? — click to expand

What this test does

Using the active test method (port 80), we send a forged ICMPv6 Type 2 PTB and watch for an effect. RFC 4890 requires hosts and intermediate networks not to filter ICMPv6 Type 2; the destination's TCP/UDP stack must act on a received PTB by lowering its Path MTU cache for that destination, which makes subsequent segments smaller.

What we measured

The TCP segment size your server emitted before our forged Type 2 was 1504 B; after, it was 1504 B. No change. RFC 4890 ("Type 2 messages MUST NOT be filtered") expects subsequent segments to shrink to fit a Path MTU of 1280 B.

Three plausible causes

Your host firewall is dropping ICMPv6 Type 2 inbound. Many default firewall rule sets only allow Echo Request/Reply and Neighbor Discovery, silently dropping all other ICMPv6 types - including Packet Too Big.
An upstream / transit network is dropping ICMPv6 Type 2 before it reaches you. Some transit ASes filter ICMPv6 messages other than Echo at the edge. The forged PTB never arrives, so your stack never has a chance to act on it.
Your kernel is ignoring the PTB. Linux / BSD stacks normally accept ICMPv6 PTB and update the route cache, but a few sysctls (or a hardened kernel) can be configured to ignore PMTU updates - typically as part of an over-aggressive anti-spoofing or uRPF policy.

How to check & fix (Linux examples)

1. Confirm Type 2 is not blocked at the host firewall:

sudo ip6tables -L INPUT -nv | grep -iE 'icmpv6|packet-too-big'
sudo nft list ruleset 2>/dev/null | grep -A1 'icmpv6'

If you see rules dropping ICMPv6 unconditionally, change them to permit at least icmpv6 type packet-too-big (and destination-unreachable, time-exceeded, parameter-problem per RFC 4890).

2. Confirm the kernel accepts incoming PTB:

sudo sysctl net.ipv6.conf.all.accept_redirects net.ipv4.ip_no_pmtu_disc net.ipv6.route.mtu_expires

The defaults (accept_redirects=1, ip_no_pmtu_disc=0) are the right values for honoring PTB.

3. Live trace: while we have an open TCP flow with a small MSS (we run our test from 2607:fae0:a000::42 on odin, 2a00:8642:42::75 on go6lab and 2a12:d8c0:105a:9001::a154 on karsolink), watch for our forged Type 2 arriving on your interface:

sudo tcpdump -i any -n -e 'icmp6 and ip6[40] = 2 and (src host 2607:fae0:a000::42 or src host 2a00:8642:42::75 or src host 2a12:d8c0:105a:9001::a154)'

If you see our PTBs arriving but TCP segments still stay big, the drop is in your kernel or NIC offload (cause 3). If you don't see them at all, the drop is upstream of you (cause 2) - ask your upstream(s) to permit ICMPv6 Type 2.

4. If your test target above (2026-05-30T12:59:59Z) is a host that you don't own (e.g. a third-party DNS / TLS server you happen to operate prefixes for), the verdict reflects that specific host's behaviour - try the test against a server you do own and we'll happily re-run.

RFC 4890 references: §4.3.1 (Packet Too Big - MUST NOT be dropped), and RFC 8201 for the broader PMTUD requirement.

tracepath6 per-hop PMTU drilldown

For each target where Type 2 verdicts disagreed across vantages, tracepath -6 ran from every vantage to capture per-hop PMTU evolution along that vantage's actual forward path. A pmtu change entry on a hop means that hop's router generated a PTB and we observed the shrink; absence of any change combined with a not_honored verdict suggests a router somewhere downstream is silently dropping >MTU packets (an RFC 4890 violation) rather than sending a PTB.

Target `2a13:1580::1`

go6lab — verdict honored

verdict = honored; final pmtu = 1500

#	hop IP	pmtu change
1	<span class='muted'>no reply</span>
2	2a00:8642:1000:f000::1
3	2001:7f8:b7::a504:1327:1
4	2a03:b020::254
5	2a03:b020:1:5c::b
6	2a13:1580::1

karsolink — verdict not_honored

verdict = not_honored; final pmtu = 1500

#	hop IP	pmtu change
1	<span class='muted'>no reply</span>
2	2a12:d8c0:109f:121::a1
3	2a12:d8c0:101f:6::1
4	2a03:b020:1:51::a
5	2a03:b020::254
6	2a03:b020:1:5c::b
7	2a13:1580::1

odin — verdict honored

verdict = honored; final pmtu = 1500

#	hop IP	pmtu change
1	<span class='muted'>no reply</span>
2	2607:fae0:a000:2::2
3	2a03:a100:0:201:1::1
4	2001:470:1:5be::1
5	2001:470:0:578::1
6	2001:470:0:41d::2
7	2001:7f8:44::a16f:0:1
8	2a03:b020::254
9	2a03:b020:1:5c::b
10	2a13:1580::1

From NL host (go6lab) openRFC 4890 ✓

filter likely at: (none) · min PMTU on path: 1500

4/4

Echo small (56B) 29.6ms

4/4

Echo 1500B (DF) 29.6ms

yes

Type 1 dest-unreach

443,80

TCP responds on

Path (traceroute + mtr + PTR)

#	IP / PTR	RTT	mtr loss	AS	AS holder
1	2a00:8642:42::3	1.8ms	0%	AS203993	STEFFANN-DC-AS - S.J.M. Steffann, NL
2	*	-	0%*	-
3	speed-ix.fibertelecom.it 2001:7f8:b7::a504:1327:1	3.5ms	0%	-	NA
4	2a03:b020::254	27.1ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
5	2a03:b020:1:5c::b	27.1ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
6	2a13:1580::1	29.5ms	0%	AS200887	VELCOM-IT - Velcom Srl, IT

tracepath -6

 1?: [LOCALHOST]                        0.027ms pmtu 1500
 1:  2a00:8642:42::3                                       2.133ms 
 1:  2a00:8642:42::3                                       2.029ms 
 2:  gw.friends.steffann.nl                                2.961ms 
 3:  speed-ix.fibertelecom.it                              4.130ms 
 4:  2a03:b020::254                                       27.707ms asymm  7 
 5:  2a03:b020:1:5c::b                                    27.328ms asymm  8 
 6:  2a13:1580::1                                         29.915ms reached
     Resume: pmtu 1500 hops 6 back 9

From ITA host (Karsolink) openRFC 4890 ✗

filter likely at: (none) · min PMTU on path: 1500

4/4

Echo small (56B) 21.5ms

4/4

Echo 1500B (DF) 21.8ms

yes

Type 1 dest-unreach

443,80

TCP responds on

Path (traceroute + mtr + PTR)

#	IP / PTR	RTT	mtr loss	AS	AS holder
1	karsolink-01.net.karsolink.com 2a12:d8c0:105a:9001::1	0.3ms	0%*	AS204471	KARSOLINK - 2S Computers SRL, IT
2	*	-	0%*	-
3	2a12:d8c0:101f:6::1	10.0ms	20%	AS204471	KARSOLINK - 2S Computers SRL, IT
4	2a03:b020:1:51::a	10.1ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
5	2a03:b020::254	18.6ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
6	2a03:b020:1:5c::b	18.2ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
7	2a13:1580::1	21.1ms	0%	AS200887	VELCOM-IT - Velcom Srl, IT

Rate-limited ICMPv6: hop 3 (loss between 5% and 95% across mtr cycles - the router replies but only sometimes).

tracepath -6

 1?: [LOCALHOST]                        0.053ms pmtu 1500
 1:  karsolink-01.net.karsolink.com                        0.862ms 
 2:  2a12:d8c0:109f:121::a1                                0.709ms 
 3:  no reply
 4:  2a03:b020:1:51::a                                    10.758ms 
 5:  2a03:b020::254                                       19.064ms asymm  7 
 6:  2a03:b020:1:5c::b                                    19.113ms asymm  8 
 7:  2a13:1580::1                                         21.623ms reached
     Resume: pmtu 1500 hops 7 back 9

From SLO host (6connect) openRFC 4890 ✓

filter likely at: (none) · min PMTU on path: 1500

4/4

Echo small (56B) 29.7ms

4/4

Echo 1500B (DF) 29.9ms

yes

Type 1 dest-unreach

443,80

TCP responds on

Path (traceroute + mtr + PTR)

#	IP / PTR	RTT	mtr loss	AS	AS holder
1	fw1-lju.6connect.com 2607:fae0:a000::2	0.3ms	0%*	AS8038	6CONNECT - 6connect, Inc., US
2	*	-	0%*	-
3	2a03:a100:0:201:1::1	0.8ms	10%	AS56635	XENYA - XENYA inzeniring, proizvodnja in trgovina, d.o.o. Ljubljana, SI
4	e0-1.core1.lju1.he.net 2001:470:1:5be::1	1.9ms	0%	AS6939	HURRICANE - Hurricane Electric LLC, US
5	100ge0-0-0-5.core1.vie1.he.net 2001:470:0:578::1	8.4ms	0%	AS6939	HURRICANE - Hurricane Electric LLC, US
6	e0-35.core2.muc1.he.net 2001:470:0:41d::2	12.0ms	0%	AS6939	HURRICANE - Hurricane Electric LLC, US
7	ipv6.de-cix.muc.as41327.fibertelecom.com 2001:7f8:44::a16f:0:1	17.4ms	0%	-	NA
8	2a03:b020::254	27.6ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
9	2a03:b020:1:5c::b	27.4ms	0%	AS41327	FIBERTELECOM-AS - Fiber Telecom S.p.A., IT
10	2a13:1580::1	29.6ms	0%	AS200887	VELCOM-IT - Velcom Srl, IT

Rate-limited ICMPv6: hop 3 (loss between 5% and 95% across mtr cycles - the router replies but only sometimes).

tracepath -6

 1?: [LOCALHOST]                        0.029ms pmtu 1500
 1:  fw1-lju.6connect.com                                  0.466ms 
 1:  fw1-lju.6connect.com                                  0.476ms 
 2:  no reply
 3:  2a03:a100:0:201:1::1                                  1.018ms 
 4:  e0-1.core1.lju1.he.net                                2.257ms 
 5:  100ge0-0-0-5.core1.vie1.he.net                        8.684ms 
 6:  e0-35.core2.muc1.he.net                              12.254ms 
 7:  ipv6.de-cix.muc.as41327.fibertelecom.com             17.680ms asymm 10 
 8:  2a03:b020::254                                       27.493ms asymm  9 
 9:  2a03:b020:1:5c::b                                    27.639ms asymm 10 
10:  2a13:1580::1                                         30.144ms reached
     Resume: pmtu 1500 hops 10 back 11

AS overview

RPKI & ASPA

Random-IP probe (yarrp) into the AS' prefixes

ICMPv6 Type 2 (Packet Too Big) acceptance - active test

What this test does

What we measured

Three plausible causes

How to check & fix (Linux examples)

tracepath6 per-hop PMTU drilldown

Target 2a13:1580::1

From NL host (go6lab) openRFC 4890 ✓

Path (traceroute + mtr + PTR)

tracepath -6

From ITA host (Karsolink) openRFC 4890 ✗

Path (traceroute + mtr + PTR)

tracepath -6

From SLO host (6connect) openRFC 4890 ✓

Path (traceroute + mtr + PTR)

tracepath -6

Target `2a13:1580::1`